Configuring RDP over the internet

[The Rabid Crow]

I have a question about setting up RDP over the internet. I'm not very experienced/knowledgeable about networks so ideas/guidance on what I can read up on to make this work (if it is actually possible) would be helpful.

 

So the way my home network is set up -

1. I have a modem that was provided by my ISP. This has WiFi capability but it's range and speeds are very poor so I use by own WiFi router. This is on the 192.168.0.1 network internally. The WiFi on this network is disabled but can be enabled if required.

2. I have a WiFi router that I use to get better WiFi coverage at home. This is on the 192.168.1.1 network. All the devices in my house connect to this network. I could use this router as a repeater so that all the devices at home are on the 192.168.0.1 network but that hampers my data speeds. It doesn't have modem capabilities so I can't swap out the ISP modem with this device.

3. I have a couple of computers at home on Win 10 Pro that I want to connect to from outside my home network.

4. I have Norton Internet Security installed - but I think I have configured it to allow RDP. RDP works well within my 192.168.1.1 network. I disable it to test external RDP as required so that I'm sure that's not the problem.

 

All my 10+ devices on the 192.168.1.1 network have the same public IP address. I suspect that's the problem (or the biggest one at least). How could I allow for the the computers I want access to to have different public IPs? I'm fine with them being dynamic IPs because someone at home can look up the IP address if required.

 

Is port forwarding is the answer - how do I do it across two routers/networks?

 

Feedback, guidance or even pointing to appropriate resources for me to read up would be very very appreciated.

[SupaKomputa]

Probably it's easier if you just install Team Viewer.

Configuring RDP to work over internet is pretty complicated.

[Master Disaster]

12 minutes ago, SupaKomputa said:

Probably it's easier if you just install Team Viewer.

Configuring RDP to work over internet is pretty complicated.

No it isn't.

 

20 minutes ago, The Rabid Crow said:

I have a question about setting up RDP over the internet. I'm not very experienced/knowledgeable about networks so ideas/guidance on what I can read up on to make this work (if it is actually possible) would be helpful.

 

So the way my home network is set up -

1. I have a Technicolor modem that was provided by my ISP. This has WiFi capability but it's range and speeds are very poor so I use by own WiFi router. This is on the 192.168.0.1 network internally. The WiFi on this network is disabled but can be enabled if required.

2. I have a TPLink WiFi router that I use to get better WiFi coverage at home. This is on the 192.168.1.1 network. All the devices in my house connect to this network. I could use this router as a repeater so that all the devices at home are on the 192.168.0.1 network but that hampers my data speeds. It doesn't have modem capabilities so I can't swap out the ISP modem with this device.

3. I have a couple of computers at home on Win 10 Pro that I want to connect to from outside my home network.

4. I have Norton Internet Security installed - but I think I have configured it to allow RDP. RDP works well within my 192.168.1.1 network. I disable it to test external RDP as required so that I'm sure that's not the problem.

 

All my 10+ devices on the 192.168.1.1 network have the same public IP address. I suspect that's the problem (or the biggest one at least). How could I allow for the the computers I want access to to have different public IPs? I'm fine with them being dynamic IPs because someone at home can look up the IP address if required.

 

Is port forwarding is the answer - how do I do it across two routers/networks?

 

Feedback, guidance or even pointing to appropriate resources for me to read up would be very very appreciated.

You need to set up a port forwarding rule on your router to forward port 3389 to the machine you want to access externally.

 

Since your using 2 routers you need to also make sure the first router has its firewall disabled or is forwarding everything to the second router.

 

In your example you need to open the first routers (196.168.0.1) config page and forward all incoming connections on port range 1 - 65535 TCP & UDP on to 196.168.1.1 (the second router). Outgoing should be fine since most routers allow all outgoing traffic by default.

 

Then on the second router you need to forward port 3389 to the machine you want to access.

 

After that dialling in to your external IP address in RDP should access the client you forwarded too.

[Alex Atkin UK]

1 hour ago, Master Disaster said:

No it isn't.

 

You need to set up a port forwarding rule on your router to forward port 3389 to the machine you want to access externally.

 

Since your using 2 routers you need to also make sure the first router has its firewall disabled or is forwarding everything to the second router.

 

In your example you need to open the first routers (196.168.0.1) config page and forward all incoming connections on port range 1 - 65535 TCP & UDP on to 196.168.1.1 (the second router). Outgoing should be fine since most routers allow all outgoing traffic by default.

 

Then on the second router you need to forward port 3389 to the machine you want to access.

 

After that dialling in to your external IP address in RDP should access the client you forwarded too.

You don't want to use RDP over the Internet though as its not a secure protocol.  RDP should only be used over some sort of VPN or other secure tunnel such as SSH.

[SupaKomputa]

1 hour ago, Master Disaster said:

No it isn't.

Maybe for you. For somebody that don't know how networking works, this is a difficult process to do.

Plus, like @Alex Atkin UK said, opening RDP port is not a good practice for public network.

Easier just to use a remote program like teamviewer, splashtop or anydesk.

[Master Disaster]

1 hour ago, Alex Atkin UK said:

You don't want to use RDP over the Internet though as its not a secure protocol.  RDP should only be used over some sort of VPN or other secure tunnel such as SSH.

Yes it is. RDP uses end to end encryption. The security issues come from allowing remote access to take administrator privileges over a server but for someone dialling into their home PC this isn't something you should worry about since its more than likely you're already using an Admin account locally anyway.

[The Rabid Crow]

3 hours ago, Master Disaster said:

No it isn't.

 

You need to set up a port forwarding rule on your router to forward port 3389 to the machine you want to access externally.

 

Since your using 2 routers you need to also make sure the first router has its firewall disabled or is forwarding everything to the second router.

 

In your example you need to open the first routers (196.168.0.1) config page and forward all incoming connections on port range 1 - 65535 TCP & UDP on to 196.168.1.1 (the second router). Outgoing should be fine since most routers allow all outgoing traffic by default.

 

Then on the second router you need to forward port 3389 to the machine you want to access.

 

After that dialling in to your external IP address in RDP should access the client you forwarded too.

 

Yes... but I need to access a couple of computers. This method would only work for one of them correct?

[Master Disaster]

9 minutes ago, The Rabid Crow said:

 

Yes... but I need to access a couple of computers. This method would only work for one of them correct?

Nah, you can easily change the port on the second machine then set up 2 rules in your router.

 

https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/change-listening-port

 

Then when you connect you would do xxx.xxx.xxx.xxx:3389 to access machine one and xxx.xxx.xxx.xxx:anotherport to access machine two.

 

I should add AFAIK that both machines will need to be running Windows 10 Pro. IIRC Home has a restriction where you cannot RDP in unless a user is already signed in.

[The Rabid Crow]

29 minutes ago, Master Disaster said:

Nah, you can easily change the port on the second machine then set up 2 rules in your router.

 

https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/change-listening-port

 

Then when you connect you would do xxx.xxx.xxx.xxx:3389 to access machine one and xxx.xxx.xxx.xxx:anotherport to access machine two.

 

I should add AFAIK that both machines will need to be running Windows 10 Pro. IIRC Home has a restriction where you cannot RDP in unless a user is already signed in.

Perfect... that's what I needed thank you.

 

And yes they're all running Win 10 Pro. AFAIK Home doesn't support RDP at all.

[Master Disaster]

5 minutes ago, The Rabid Crow said:

Perfect... that's what I needed thank you.

 

And yes they're all running Win 10 Pro. AFAIK Home doesn't support RDP at all.

It has Remote Assistance but i believe it requires an account logged in on the client to work.

[Takahashi]

Exposing RDP to the Internet is relatively straight forward, even behind two routers.

 

Using the following IPs as an example:

 

Public Interface ISP Modem: 99.99.99.99
Internal Interface ISP Modem: 192.168.0.1
External Interface TPLink Wifi Router: 192.168.0.254
Internal Interface TPLink Wifi Router: 192.168.1.1

 

Device 1 IP: 192.168.1.10
Device 2 IP: 192.168.1.11
Device 3 IP: 192.168.1.12

 

For Device 1 :

 

On ISP Modem: Port Forward Port 3389 from Public Interface to External Interface TPLink Wifi Router IP Port 3389
On TPLInk : Port Forward Port 3389 from External Interface to Device 1 Port 3389

 

99.99.99.99:3389 --> 192.168.0.254:3389
192.168.0.254:3389 --> 192.168.1.10:3389

 

For Device 2 :

 

On ISP Modem: Port Forward Port 3390 from Public Interface to External Interface TPLink Wifi Router IP Port 3390
On TPLInk : Port Forward Port 3390 from External Interface to Device 2 Port 3389

 

99.99.99.99:3390 --> 192.168.0.254:3390
192.168.0.254:3390 --> 192.168.1.11:3389

 

For Device 3 :

 

On ISP Modem: Port Forward Port 3391 from Public Interface to External Interface TPLink Wifi Router IP Port 3391
On TPLInk : Port Forward Port 3391 from External Interface to Device 3 Port 3389

 

99.99.99.99:3391 --> 192.168.0.254:3391
192.168.0.254:3391 --> 192.168.1.12:3389

 

To connect to device 1 you simply RDP to port 3389 on your Public IP, device 2 is port 3390 etc .

HOWEVER, As has been already mentioned, from a Security point of view exposing RDP direct to the Internet is bad practice, vulnerabilities in RDP and the ability to brute force it make it an easy target. If you must expose it direct ensure every device exposed is fully patched (keep them fully patched) and has unique complex passwords. If you can restrict the exposure to specific IPs then that is better.

 

A better solution is to implement an RDP Gateway such as Guacamole: https://guacamole.apache.org/ . A small dedicated Linux Server running Guacamole could be exposed to the internet and if configured correctly should give you a more secure way to expose your machines.

 

Please note, as with pretty much all perimeter apps, there have been vulnerabilities in Guacamole too, ensure the Server app and OS are kept up to date and only enable the functions you need.

 

[The Rabid Crow]

4 hours ago, Takahashi said:

Exposing RDP to the Internet is relatively straight forward, even behind two routers.

 

 

Thanks for that detailed guide.

 

I have solved it already, sort of similar to what you have mentioned except that I have used more random port #s on the modem, wifi and computers (whatever protection that might bring). I have also updated my firewall with the RDP port and tried to follow RDP best practices including SSL only sessions, limiting user accounts access, limiting specific mac addresses to the network etc. and keep my computers up-to-date with regards to patches etc.

 

Connecting to the internet in any fashion has its inherent risks and I don't know if there is any perfect solution to do this. I guess we have to balance the risks & effort vs. the rewards. RDP to my mind seems to be "safe enough". Guacamole has a steep learning curve for me and it and Linux have their own issues plus the maintenance hassles. Then there is TeamViewer and the like and I trust them as little as I do my VPN provider. I guess I'm putting my trust in M$ for now for better or worse..